Every week during National Cyber Security Awareness Month we will be sharing SANS blog to help keep you, your company and your family safe online.
“The Cloud” can mean different things to different people,
but usually means using a service provider on the Internet
to store and manage your computing systems and/or data
for you. An advantage of the Cloud is that you can easily
access and synchronize your data from multiple devices
anywhere in the world, and you can also share your
information with anyone you want. We call these services
“The Cloud” because you often do not know where your data is physically stored. Examples of Cloud computing include creating documents on Google Docs, sharing files via Dropbox, setting up your own server on Amazon Cloud, storing customer data in Salesforce, or archiving your music or pictures on Apple”s iCloud. These online services can make you far more productive, but they also come with unique risks. In this newsletter, we cover how you can securely make the most of the Cloud.
Selecting a Cloud Provider
The Cloud is neither good nor evil; it is a tool for getting things done, both at work and at home. However, when you use these services you are handing over your private data to others, and you expect them to keep it both secure and available. As such, you want to be sure you are choosing your Cloud provider wisely. For your work computers or work-related information, check with your supervisor to see if your company allows you to use Cloud services. If you are allowed to use the Cloud, con rm which Cloud services you can use and what the policies are on how to use them. If you are considering a Cloud service for your personal use, consider the following.
- Support: How easy is it to get help or have a question answered? Is there an email address you can contact, public forums you can post questions to, or Frequently Asked Questions on their website?
- Simplicity: How easy is it to use the service? The more complex the service is, the more likely you will make mistakes and accidentally expose or lose your information. Select a Cloud provider you find easy to understand, configure, and use.
- Security: What data is collected about you, if any? How will your data get from your computer to the Cloud, and how is it stored in the Cloud? Is it encrypted, and if so, who can decrypt your data?
- Terms of Service: Take a moment to review the Terms of Service. (They are often surprisingly easy to read.) Con rm who can access your data and what your legal rights are, as well as any security responsibilities assumed by the provider or required by you.
Securing Your Data
Once you have selected a Cloud provider, the next step is to make sure you use your Cloud services properly. How you access and share your data can often have a far greater impact on the security of your files than anything else. Some key steps you can take include:
- Authentication: Use a strong, unique passphrase to authenticate to your Cloud account. If your Cloud provider offers two-step verification, we highly recommend that you enable it. This is one of the most important steps you can take to protect your account.
- Sharing Files/Folders: The Cloud makes it very simple to share, sometimes too simple. In a worst-case scenario, you may think you are sharing your files with just a specific individual, but you may accidentally make your files or even entire folders publicly available to the entire Internet. The best way to protect yourself is to not share any of your files with anyone by default. Then only allow specific people (or groups of people) access to specific files or folders on a need-to-know basis. When someone no longer needs access to your files, remove them. Your Cloud provider should provide an easy way to track who has access to your files and folders.
- Sharing Files/Folders Using Links: One common feature of some Cloud services is the ability to create a web link that points to your files or folders. This feature allows you to share these files with anyone you want by simply providing a web link. However, this approach has very little security. Anyone that knows this link may have access to your personal files or folders. If you send the link to just one person, that person could share that link with others, or it could show up on search engines. If you share data by using a link, be sure you disable the link once it is no longer needed by setting an expiration date or, if possible, protect the link with a password.
- Settings: Understand the security settings offered by your Cloud provider. For example, if you share a folder with someone else, can they in turn share your data with others without your knowledge? Also, see if there are ways to see who has viewed your shared content and when they viewed it. Can you restrict sharing to “read only” versus giving read+write, which means people can also modify the files?
- Antivirus: Make sure the latest version of antivirus software is installed on your computer and on any other computer used to share your data. If a file you are sharing gets infected, other computers accessing that same file could also get infected.
Guest Editor
Dave Shackleford (@daveshackleford) is a professional consultant who owns Voodoo Security and is the author of numerous SANS training courses, including Security 579: Virtualization and Private Cloud Security and Security 524: Cloud Security Fundamentals.